Data Processing Addendum (DPA)

1. Purpose and Legal Effect

This Data Processing Addendum (“DPA”) forms part of the agreement between Permanent Systems LLC (Georgia) (“Processor”) and the customer using the Services (“Tenant” or “Controller”).

This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the Services and applies where required by applicable data protection laws.

In the event of a conflict between this DPA and any other agreement, this DPA shall prevail with respect to data protection and processing obligations.

2. Definitions

For the purposes of this DPA, the terms “personal data”, “processing”, “controller”, “processor”, and “data subject” shall have the meanings given to them under applicable data protection laws, including the GDPR where applicable.

3. Roles of the Parties

3.1 Controller

The Tenant acts as the Data Controller with respect to all personal data processed through the Services on behalf of the Tenant.

The Controller determines:

the purposes of processing;
the legal bases for processing;
the categories of personal data and data subjects;
retention periods and deletion requirements.

3.2 Processor

Permanent Systems LLC (Georgia) acts as the Data Processor and processes personal data solely on behalf of and in accordance with documented instructions from the Controller.

The Processor does not determine the purposes or legal grounds for processing tenant-controlled data.

4. Scope and Nature of Processing

The Processor processes personal data solely for the purpose of providing and operating the Services, including:

storage, transmission, and retrieval of data;
processing of messages, content, and related metadata;
execution of tenant-configured workflows and operations.

Processing is limited to what is necessary to provide the Services.

5. Controller Obligations

The Controller represents and warrants that it:

complies with all applicable data protection laws;
has a valid legal basis for processing personal data;
has provided all required notices to data subjects;
has obtained all necessary consents where required;
responds to data subject requests and regulatory inquiries.

The Processor does not monitor or verify the Controller’s compliance.

6. Processor Obligations

The Processor shall:

process personal data only on documented instructions from the Controller;
implement reasonable technical and organizational security measures;
ensure that personnel authorized to process personal data are bound by confidentiality obligations;
assist the Controller, where required by law, in responding to data subject requests;
notify the Controller of personal data breaches without undue delay.

7. Subprocessing

The Controller authorizes the Processor to engage subprocessors as necessary to provide the Services.

The Processor shall ensure that subprocessors are subject to data protection obligations no less protective than those set out in this DPA.

A current list of subprocessors may be made available upon request or via documentation.

8. Security Measures

The Processor implements reasonable technical and organizational measures designed to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Security measures are described at a high level in the Privacy documentation and may evolve over time.

9. Personal Data Breaches

In the event of a personal data breach affecting tenant-controlled data:

the Processor shall notify the Controller without undue delay after becoming aware of the breach;
the Controller is solely responsible for assessing notification obligations to supervisory authorities and data subjects.

10. Data Subject Requests

The Processor shall, to the extent legally required, assist the Controller in responding to data subject requests.

The Controller remains solely responsible for handling and responding to such requests.

11. Data Retention and Deletion

Upon termination of the Services or upon Controller request, personal data shall be deleted or anonymized in accordance with the applicable agreement and technical limitations, unless retention is required by law.

Backup and recovery copies may be retained for limited periods.

12. Cross-Border Data Transfers

Personal data may be processed or stored in multiple jurisdictions.

Where required by applicable law, appropriate safeguards for cross-border data transfers shall be applied.

13. Audits

To the extent required by applicable law, the Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.

Audits shall be subject to reasonable scope, confidentiality, and security restrictions.

14. Limitation of Liability

Nothing in this DPA shall increase the Processor’s liability beyond what is expressly set out in the main agreement.

The Processor shall not be liable for violations resulting from the Controller’s instructions, configurations, or failure to comply with applicable laws.

15. Governing Law

This DPA shall be governed by and construed in accordance with the laws governing the main agreement between the parties, unless otherwise required by applicable data protection laws.

16. Termination

This DPA shall remain in effect for the duration of the processing of personal data and shall terminate automatically upon termination of the main agreement.

1. Purpose and Legal Effect​

2. Definitions​

3. Roles of the Parties​

3.1 Controller​

3.2 Processor​

4. Scope and Nature of Processing​

5. Controller Obligations​

6. Processor Obligations​

7. Subprocessing​

8. Security Measures​

9. Personal Data Breaches​

10. Data Subject Requests​

11. Data Retention and Deletion​

12. Cross-Border Data Transfers​

13. Audits​

14. Limitation of Liability​

15. Governing Law​

16. Termination​